Posts Tagged ‘internet’

Emile Zola famously stated back in 1901, “In my view, you cannot claim to have really seen something until you have photographed it.” Today, some make a similar joke: “it did not happen unless it is posted on Facebook.”

For those who use Facebook, whose friends are on the site and logging in many times a day, we have come to experience the world differently. We are increasingly aware of how our lives will look as a Facebook photo, status update or check-in. As I type this in a coffee shop, I can “check-in” on Foursquare, I can “tweet” a funny one-liner overheard from the table next to me and I can take an ‘interesting’ photo of the perfectly-formed foam on top of my cappuccino. It is easy; I can do all of this and more from my phone in a matter of minutes. And, most importantly, there will be an audience for all of this. Hundreds of the people I am closest with will view all of this and some will reply with comments and “likes.”

Simply, I have been trained to see the world in terms of what I can post to the Internet. I’ve learned to live and present a life that is “likeable.”

Atlantic editor Alexis Madrigal wrote about how technology changes consciousness. For example, the invention of the railroad changed our perception of speed. He writes, “humans had to learn to look at the landscape, instead of trying to focus on the foreground.” The photograph Zola spoke of did the same. Invented some 150 years ago, photography caused a global sensation around the new possibility: to document ourselves and our world in new ways, in greater detail and in lasting permanence.

Today, social media has also provided a new, more social way to document ourselves, lives and world. Never before was it possible to record and displayto all of our friends a stream of photos, check-ins and status updates filled with our thoughts and opinions in such quantity and with such ease. The transformative power of social media surely is of similar magnitude and consequence as the invention of the photograph.

The photographer knows well that after taking many pictures one develops “the camera eye”: vision becomes like the viewfinder, always perceiving the world through the logic of the camera mechanism via framing, lighting, depth of field, focus, movement and so on. Even without the camera in hand the world becomes transformed into the status of the potential-photograph.

Today, we are in danger of developing a “Facebook Eye”: our brains always looking for moments where the ephemeral blur of lived experience might best be translated into a Facebook post; one that will draw the most comments and “likes.”

Facebook fixates the present as always a future past. By this I mean that social media users have become always aware of the present as something we can post online that will be consumed by others. Are we becoming so concerned about posting our lives on Facebook that we forget to live our lives in the here-and-now? Think of a time when you took a trip holding a camera in your hand and then think of when you did the same without the camera. The experience is slightly different. We have a different attachment to our present when we are not concerned with documenting.

Today, social media means we are always traveling with the camera in our hands (metaphorically and often literally); we always can document. When going to see live music I notice more and more people distracted from the performance in order to take photos and videos to post to Facebook and YouTube. When the breakfast I made the other week looked especially delicious, I posted a photo of it before even taking a bite. The Facebook Eye in action.

Susan Sontag once wrote that “everything exists to end in a photograph” and today we might say that more and more of what we do exists to end up on Facebook. The tail of Facebook documentation has come to wag the dog of lived experience.

I’d say that in about half of my business conversations, I have almost no idea what other people are saying to me. The language of internet business models has made the problem even worse. When I was younger, if I didn’t understand what people were saying, I thought I was stupid. Now I realize that if it’s to people’s benefit that I understand them but I don’t, then they’re the ones who are stupid.

There are at least five strains of this epidemic.

Abstractionitis We have forgotten how to use the real names of real things. Like doorknobs. Instead, people talk about the idea of doorknobs, without actually using the word “doorknob.” So a new idea for a doorknob becomes “an innovation in residential access.” Expose yourself repeatedly to the extrapolation of this practice to things more complicated than a doorknob and you really just need to carry Excedrin around with you all day.

Acronymitis This is a disease of epic proportions in the world of charity. I was at a meeting just two days ago at which several well-meaning staff members of a charity were presenting to their board, and the meat of their discussion revolved around the acronyms SCEA and some other one that began with “R” that I can’t recall. In the span of three minutes these acronyms must have been used eight times each. They were central to any understanding of the topic at hand, but they were never defined. So I had not the vaguest idea what the presenters were talking about. None. Could have been talking about how to make a beurre-blanc sauce for all I know.

Valley Girl 2.0 My partner and I were at a restaurant in the San Fernando Valley five years ago, and a real-live Valley girl was sitting in the booth behind us talking on her cell phone. We couldn’t stop listening to her. She had a world-class ability to string together half-sentences devoid of any substance whatsoever. And yet you felt as if something important were being discussed! “And she was like, ummm, and I was just like, you know, umm, no way, really, like, yeah, and when she was like that, I was just like..umm….” She could go on in this way for extended periods of time without mentioning any actual people, actions, or thoughts. There’s a business version of this illness. It involves the use of words such as “space,” “around,” “synergy,” and “value-add” with a healthy dose of equivocators like “sort of” and “kind of” to ensure that there is no commitment to anything being said: “I’m in the sort of sustainability space around kind of bringing synergistic value-add to other people’s work around this kind of space.” Oh, OK, that explains it.

Meaningless Expressions I wrote about the phrase “thinking outside the box” recently and how overused and utterly misunderstood the expression is. There are many more. Another term that has lost its meaning is “Let’s exceed the customer’s expectations.” Employees who hear it just leave the pep rally, inhabit some kind of temporary dazed intensity, and then go back to doing things exactly the way they did before the speech. Customers almost universally never experience their expectations being met, much less exceeded. How can you exceed the customer’s expectations if you have no idea what those expectations are? I was at a Hilton a few weeks ago. They had taken this absurdity to its logical end. There was a huge sign in the lobby that said, “Our goal is to exceed the customer’s expectation.” The best way to start would be to take down that bullshit sign that just reminds me, as a customer, how cosmic the gap is between what businesses say and what they do. My expectation is not to have signs around that tell me you want to exceed my expectations.

Abstract Valley Girl 2.0 Acronymitis Using Meaningless Expressions This is when you combine the four diseases above. So you get phrases like, “You should meet this guy with the SIO. He’s sort of this kind of social entrepreneur thinking outside of the box in the sustainability space and working on these ideas around sort of web-based social media, and he’s in a round two capital raise in the VP space with the people at SVNP.” How many times have you heard what you now recall to be precisely this sentence?

This would all be funny if it weren’t true. People just don’t make sense anymore. You’ll save yourself a lot of trouble if you internalize this. Observe it, deconstruct it, and appreciate just how ridiculous most business conversation has become.

You will gain tremendous credibility, become much more productive, make those around you much more productive, and experience a great deal more joy in your working life if you look someone in the eye after hearing one of these verbal brain jammers and tell the person, “I don’t have any idea what you just said to me.”

Couldn’t agree more with this article by Dan Pallotta on HBR. The levels of buzz-words and fluff used in business nowadays (especially in the internet industry) have reached ridiculous levels and there is a drastic need to deconstruct and simplify our everyday lexicon.

Highly recommend visiting the site and reading the comments. The one below, in particular, is pure gold:

While in the run-up to transitioning in this phase of right-sizing and redeployment, we still need to—at the end of the day—drill down and make sure that our mission-critical, goal-oriented core competencies are in alignment and on the same page as the most current best-practices paradigm. While we as a customer-centric long-tail company are still on the runway, we need to each firewall enough time to allow out-of-the-box thinking and strategize the low-hanging fruit in the marketplace. Envisioning the metrics here will require accountability management on each team member to come up with a value-added solution that doesn’t require putting out fires or a lot of bandwidth. Bottom line? The truth is we have to step up, work smarter, not harder, and create a Web 2.0 solution. This is an exciting model for limitless potential and mutually agreed synergies!

I’ve got an open door policy, so touch base and keep me in the loop. If we can move forward and proactively get on the same page about this, it’ll be a win-win-win. Remember: our people make the difference.

To answer the question posed by the chart (Is there a tech bubble?) the best answer is: This chart doesn’t have the answer. Investors are willing to pay the prices they’re paying for private and public stock either because they believe they can get their money out before the market realizes there is a bubble (a risky strategy) or because they really think that these companies will grow quickly and eventually settle at mundane multiples, like Google and Microsoft.

A few weeks ago a postdoc in my lab logged on to Amazon to buy the lab an extra copy of Peter Lawrence’s The Making of a Fly – a classic work in developmental biology that we – and most other Drosophila developmental biologists – consult regularly. The book, published in 1992, is out of print. But Amazon listed 17 copies for sale: 15 used from $35.54, and 2 new from $1,730,045.91 (+$3.99 shipping).

I sent a screen capture to the author – who was appropriate amused and intrigued. But I doubt even he would argue the book is worth THAT much.

At first I thought it was a joke – a graduate student with too much time on their hands. But there were TWO new copies for sale, each be offered for well over a million dollars. And the two sellers seemed not only legit, but fairly big time (over 8,000 and 125,000 ratings in the last year respectively). The prices looked random – suggesting they were set by a computer. But how did they get so out of whack?

Amazingly, when I reloaded the page the next day, both priced had gone UP! Each was now nearly $2.8 million. And whereas previously the prices were $400,000 apart, they were now within $5,000 of each other. Now I was intrigued, and I started to follow the page incessantly. By the end of the day the higher priced copy had gone up again. This time to $3,536,675.57. And now a pattern was emerging.

On the day we discovered the million dollar prices, the copy offered by bordeebook was1.270589 times the price of the copy offered by profnath. And now the bordeebook copy was 1.270589 times profnath again. So clearly at least one of the sellers was setting their price algorithmically in response to changes in the other’s price. I continued to watch carefully and the full pattern emerged.

Once a day profnath set their price to be 0.9983 times bordeebook’s price. The prices would remain close for several hours, until bordeebook “noticed” profnath’s change and elevated their price to 1.270589 times profnath’s higher price. The pattern continued perfectly for the next week.

But two questions remained. Why were they doing this, and how long would it go on before they noticed? As I amusedly watched the price rise every day, I learned that Amazon retailers are increasingly using algorithmic pricing (something Amazon itself does on a large scale), with a number of companies offering pricing algorithms/services to retailers. Both profnath and bordeebook were clearly using automatic pricing – employing algorithms that didn’t have a built-in sanity check on the prices they produced. But the two retailers were clearly employing different strategies.

The behavior of profnath is easy to deconstruct. They presumably have a new copy of the book, and want to make sure theirs is the lowest priced – but only by a tiny bit ($9.98 compared to $10.00). Why though would bordeebook want to make sure theirs is always more expensive? Since the prices of all the sellers are posted, this would seem to guarantee they would get no sales. But maybe this isn’t right – they have a huge volume of positive feedback – far more than most others. And some buyers might choose to pay a few extra dollars for the level of confidence in the transaction this might impart. Nonetheless this seems like a fairly risky thing to rely on – most people probably don’t behave that way – and meanwhile you’ve got a book sitting on the shelf collecting dust. Unless, of course, you don’t actually have the book….

My preferred explanation for bordeebook’s pricing is that they do not actually possess the book. Rather, they noticed that someone else listed a copy for sale, and so they put it up as well – relying on their better feedback record to attract buyers. But, of course, if someone actually orders the book, they have to get it – so they have to set their price significantly higher – say 1.27059 times higher – than the price they’d have to pay to get the book elsewhere.

What’s fascinating about all this is both the seemingly endless possibilities for both chaos and mischief. It seems impossible that we stumbled onto the only example of this kind of upward pricing spiral – all it took were two sellers adjusting their prices in response to each other by factors whose products were greater than 1. And while it might have been more difficult to deconstruct, one can easily see how even more bizarre things could happen when more than two sellers are in the game. And as soon as it was clear what was going on here, I and the people I talked to about this couldn’t help but start thinking about ways to exploit our ability to predict how others would price their books down to the 5th significant digit – especially when they were clearly not paying careful attention to what their algorithms were doing.

But, alas, somebody ultimately noticed. The price peaked on April 18th, but on April 19th profnath’s price dropped to $106.23, and bordeebook soon followed suit to the predictable $106.23 * 1.27059 = $134.97. But Peter Lawrence can now comfortably boast that one of the biggest and most respected companies on Earth valued his great book at $23,698,655.93 (plus $3.99 shipping).

Security companies and IT people constantly tells us that we should use complex and difficult passwords. This is bad advice, because you can actually make usable, easy to remember and highly secure passwords. In fact, usable passwords are often far better than complex ones.

So let’s dive into the world of passwords, and look at what makes a password secure in practical terms.

How to hack a password

The work involved in hacking passwords is very simple. There are 5 proven ways to do so:

Asking: Amazingly the most common way to gain access to someone’s password is simply to ask for it (often in relation with something else). People often tell their passwords to colleagues, friends and family. Having a complex password policy isn’t going to change this.

Guessing: This is the second most common method to access a person’s account. It turns out that most people choose a password that is easy to remember, and the easiest ones are those that are related to you as a person. Passwords like: your last name, your wife’s name, the name of your cat, the date of birth, your favorite flower etc. are all pretty common. This problem can only be solved by choosing a password with no relation to you as a person.

Brute force attack: Very simple to do. A hacker simply attempts to sign-in using different passwords one at the time. If you password is “sun”, he will attempt to sign-in using “aaa, aab, aac, aad … sul, sum, sun (MATCH)“. The only thing that stops a brute force attack is higher complexity and longer passwords (which is why IT people want you to use just that).

Common word attacks: A simple form of brute-force attacks, where the hacker attempt to sign-in using a list of common words. Instead of trying different combination of letters, the hacker tries different words e.g. “sum, summer, summit, sump, sun (MATCH)“.

Dictionary attacks: Same concept as common word attacks – the only difference is that the hacker now uses the full dictionary of words (there are about 500,000 words in the English language).

When is a password secure?

You cannot protect against “asking” and “guessing”, but you can protect yourself from the other forms of attacks. A hacker will usually create an automated script or a program that does the work for him. He isn’t going to sit around manually trying 500,000 different words to see if one of them is your password.

The measure of security must then be “how many password requests can the automated program make – e.g. per second“. The actual number varies, but most web applications would not be capable of handling more than 100 sign-in requests per second.

This means it takes the following time to hack a simple password like “sun“:

This is of course a highly insecure password, but how much time is enough for a password to be secure?

a password that can be hacked in 1 minute is far too riksy

10 minutes – still far too risky

1 hour – still not good enough

1 day – now we are getting somewhere. The probability that a person will have a program running just to hack your account for an entire day is very little. Still, it is plausible.

1 month – this is something that only a dedicated attacker would do.

1 year – now we are moving from practical risk to theoretical risk. If you are NASA or CIA then it is unacceptable. For the rest of us, well – you do not have that kind of enemies, nor is your company data that interesting.

10 years – Now we are talking purely theoretical.

A lifetime: 100 years – this is really the limit for most people. Who cares about their password being hacked after they have died? Still it is nice to know that you use a password that is “secure for life”

But let’s take a full swing at this. Let’s look at “100 year – secure for life”. It has good ring to it and it makes us feel safe. There is still the chance that the hacker gets lucky. That he accidently finds the right password after only 15 years instead of 100. It happens.

Let’s step that up too and go for the full high-end security level. I want a password that takes 1,000 years to crack- let’s call this “secure forever“. That ought to be good enough, right?

Making usable and secure passwords

Now that we have covered the basics, let’s look at some real examples, and see just how usable we can make a password, while still being “secure forever”.

Note: The examples below are based on 100 password request per second. The result is the approach that is the most effective way to hack that specific password – either being by the use of brute-force, common words or dictionary attacks.

First let’s look at the common 6 character password – using different methods:

In this example complexity clearly wins. Using a password with mixed case characters, numbers and symbols is far more secure than anything else. Using a simple word as your password is clearly useless.

Does that mean that the IT-departments and security companies is right? Nope, it just means that a 6 character password isn’t going to work. None can remember a password like “J4fS<2″, which evidently mean that it will be written on a post-it note.

To make usable passwords we need to look at them differently. First of all what you need is to use words you can remember, something simple and something you can type fast.

Like these:

Using more than one simple word as your password increases you security substantially (from 3 minutes to 2 months). But, by simply using 3 words instead of two, you suddenly got an extremely secure password.

It takes:

1,163,859 years using a brute-force method

2,537 years using a common word attack

39,637,240 years using a dictionary attack

It is 10 times more secure to use “this is fun” as your password, than “J4fS<2″.

If you want to be insanely secure; simply choose uncommon words as your password – like:

A usable and secure password is then not a complex one. It is one that you can remember – a simple password using 3+ words.

It is not just about passwords

One thing is to choose a secure and usable password. Another thing is to prevent the hacker from hacking password in the first place. This is a very simple thing to do.

All you need to do is to prevent automatic hacking scripts from working effectively. What you need to do is this:

Add a time-delay between sign-in attempts. Instead of allowing people to sign-in again and again and again. Add a 5 second delay between each attempt.

It is short enough to not be noticeable (it takes longer than 5 seconds to realize that you have tried a wrong password, and to type in a new one). And, it forces the hacker to only be able make sign-in requests 1 every 5 seconds (instead of 100 times per second).

Add a penalty period if a person has typed a wrong password more than – say – 10 times – of something like 1 hour. Again, this seriously disrupts the hacking script from working effectively.

A hacker can hack the password “alpine fun” in only 2 months if he is able to attack your server 100 times per second. But, with the penalty period and the 5 second delay, the same password can suddenly sustain an attack for 1,889 years.

Remember this the next time you are making web applications or discussing password policies. Passwords can be made both highly secure and user-friendly.